When using Storage Accounts, encryption keys can be managed through the Azure Key Vault to ensure disks are encrypted. There are no specific properties which need to be configured through CPI configuration.

Disk Type

Encryption

Customer-managed Keys

Root Disk

Required, default

Supported

Ephemeral Disk

Required, default

Supported

Persistent Disk

Required, default

Supported

Key Rotation - encryption keys can be configured and rotated from within the Azure Portal (learn more), and Azure transparently handles re-encryption of data.